qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard

Published 20 hours ago verified publisher icon QubesOS

Some users think that enabling updates over Tor in the installer will route all update checks over Tor

Open andrewdavidwong opened this issue 1 year ago • 0 comments

How to file a helpful issue

Qubes OS release

4.2

Brief summary

In the installer, there's an option to "Enable system and template updates over the Tor anonymity network using Whonix." Some users mistakenly understand this to mean that all update checks will also be done over Tor (via sys-whonix), when in reality only actual updates are done over Tor.

Steps to reproduce

During Qubes OS installation, select the option to "Enable system and template updates over the Tor anonymity network using Whonix."

Expected behavior

Some users expect that update checks will go over Tor, not just the actual updates themselves.

Examples:

  • https://forum.qubes-os.org/t/24325
  • https://forum.qubes-os.org/t/28235
  • https://forum.qubes-os.org/t/974

Actual behavior

Only the actual update happens over Tor.

Possible solutions

  • Make it so that selecting "Enable system and template updates over the Tor anonymity network using Whonix" also causes all update checks to go over Tor.

  • Preserve the current behavior, but update the software UX and documentation to make it clear how things actually work and why. Also, implement https://github.com/QubesOS/qubes-issues/issues/7586 so that users who desire the expected behavior can configure their own systems to achieve it.

    Part of the reason some users have this mistaken expectation is because they believe that the only purpose of routing updates over Tor is for privacy (e.g., trying to hide the fact that they're using Qubes OS from their ISP, government, or others). From their perspective, it makes no sense to route updates over Tor while routing update checks over clearnet. They're not aware that there are specific security benefits to updating over Tor independent of any privacy benefits and that running update checks over clearnet doesn't detract from these security benefits. They're not aware that these security benefits (and not any purported privacy benefits) were the primary motivation for the implementation of this feature, which is why it currently works the way it does. If the current behavior isn't changed, then the software UX and documentation should be updated to help users to understand why it's implemented this way and thereby better set users' expectations.

This is primarily a UX bug, but the resolution need not be purely a UX solution.

andrewdavidwong avatar Aug 15 '24 02:08 andrewdavidwong